The COMODO internet security overview (Firewall and Defense+)

>>The Firewall:
>The Interface:

goto: Firewall > Common Tasks will have the Log of events, self defined application (trusted/blocked), View of the current active connections, the network zones which have been blocked.

While the FIREWALL > Advanced will have important and lethal, user controlled tasks such as Network Security Policy, Pre-defined policies, Attack detection and firewall behavior settings.



>Typically:
The COMODO delivers best on its Firewall Engine. The main features any security software should have are; deploy regular updates, identify the program that communicates with the internet in the background, check for open ports, warning messages, event log of internet activity.
>>>not my work
These tests were performed by a well known magazine CHIP (dec-’08 issue)
>What’s in COMODO:
This firewall is known for its sophistication. The Comp magazines out in market which have tested it with security levels from one up to ten, have rated this engine an average of 86% (referring to a magazine) secure and performer among many others.
The tests carried out were:
1>Bypass the firewall using Active Desktop COM interface
2>It the firewall allows an un-trusted process launch or modify browser memory
3>If it allows to inject a malicious code into the explorer
4>If it is able to block attempts to manipulate a running instance of your browser
5>If it protects the IE from being manipulated using windows messages
6>If it is possible to inject malicious DLL into windows explorer
7>Inject into browser using advanced DLL injection method
8>If the firewall functionality can be disabled or terminated using a standard way
9>If a malicious program can crash the firewall
10>Checks the special kinds of firewall’s kernel hooks
**These tests were carried out by security experts at: http://www.matousec.com
>The Network Security Policy:
goto: FIERWALL > Advanced > Application Rules > select application > edit…

            This is a place where you can actually control the most stubborn applications which always try to communicate with the internet often without users notice.

>More on Network Security Policy:
The edit will further show more advanced options for the selected application.

For example: here I’ve blocked the adobe reader updater by selecting it and editing its access to the web. I’ve also ticked for this event to be logged if that rule is fired! Hence we can verify if it is actually blocked.



There are many other customizations which can still enhance your computing experience. And as always if you need it anytime, the help is always available (down town!).

>Traffic Flow:

Firewall analyses every packet of data in and out of your PC using combination of Application and Global Rules.
·         For Outgoing connection attempts, the application rules are consulted first and then the global rules second.  
·         For Incoming connection attempts, the global rules are consulted first and then the application rules second.
Therefore, outgoing traffic has to ‘pass’ both the application rule then any global rules before it is allowed out of your system. Similarly, incoming traffic has to ‘pass’ any global rules first then application specific rules that may apply to the packet.
>Attack Detection Settings:
TCP Flood / UDP Flood / ICMP Flood
Flood attacks happen when thousands of packets of data are sent from a spoofed IP source address to a victim’s machine. The victim’s machine automatically sends back a response to these requests (a SYN packet) and waits for an acknowledgment (an ACK packet).  But, because they were “sent” from a spoofed IP address, the victim’s machine will never receive any responses/acknowledgment packets. This results in a backlog of unanswered requests that begins to fill up the victim’s connection table. When the connection table is full, the victim’s machine will refuse to accept any new connections – which means your computer will no longer be able to connect to the Internet, send email, use FTP services etc. When this is done multiple times from multiple sources it floods the victim machine, which has a limit of unacknowledged responses it can handle, and may cause it to crash. 
By default, Comodo Firewall  is configured to accept traffic using TCP, UDP and ICMP protocols at a maximum rate of packets per second for a set duration of time. The defaults are for all three protocols are set at 20 packets per second for a continuous duration of 20 seconds. The number of packets per second and the maximum duration that the firewall should accept packets at this rate can be reconfigured to the user’s preference by altering the appropriate field. If these thresholds are exceeded, a DOS attack is detected and the Firewall goes into emergency mode.

 




Block fragmented IP Datagrams
When a connection is opened between two computers, they must agree on a Mass Transmission Unit (MTU). IP Datagram fragmentation occurs when data passes through a router with an MTU less than the MTU you are using i.e when a datagram is larger than the MTU of the network over which it must be sent, it is divided into smaller ‘fragments’ which are each sent separately. Fragmented IP packets can create threats similar to a DOS attack. Moreover, these fragmentations can double the amount of time it takes to send a single packet and slow down your download time.
Comodo Firewall is set by default to block fragmented IP datagrams i.e the option Block Fragmented IP datagrams is checked by default.
Do Protocol Analysis
Protocol Analysis is key to the detection of fake packets used in denial of service attacks. Checking this option means Comodo Firewall checks every packet conforms to that protocols standards. If not, then the packets are blocked
Do Packet Checksum Verification
Every packet of data sent to your machine has a signature attached. With this option enabled, Comodo Firewall  will recalculate the checksum of the incoming packet and compare this against the checksum stated in the signature. If the two do not match then the packet has been altered since transmission and Comodo Firewall will block it. Although this feature has security benefits it is also very resource intensive and your Internet connection speed may take a large hit if checksum verification is performed on each packet. This feature is intended for use by advanced users and Comodo advise most home users not to enable this feature.
Monitor other NDIS protocols than TCP/IP
This will force Comodo Firewall to capture the packets belonging to any other protocol diver than TCP/IP. Trojans can potentially use their own protocol driver to send/receive packets. This option is useful to catch such attempts. This option is disabled by default: because it can reduce system performance and may be incompatible with some protocol drivers.
And after all these analysis and tests COMODO FW proves to be the best performer in implementing security to your home computer and for free.

With the installation file of size about 72MB (uncompressed) and RAM usage of only about 6MB, COMODO proves to be a more efficient FW in the free class.

>>The DEFENSE+:
            COMODO has got this very good proprietary tool by which the user has a control on the protected registry keys, COM interfaces, and trusted software vendors. The user can also view the event log and can analyze the executable files whether they are safe or not. The files can be blocked and they can be even be attributed as safe files.
>The Interface:

 




The next option which says My Protected Files helps the user view the files and system folders that are of utmost importance for the smooth running of the host OS.
My Blocked files will show you the files that are blocked by you. You can always block or unblock any file, depending on the situation.
My Pending Files will contain those files which the COMODO engine is not able to recognize. You can select all these files and Move to My own safe files or My blocked files. Else you can just remove those files.
My own Safe Files contain those files which are marked as safe by the user.
In the View Active Process List the user can see currently running tasks.
Trusted Software Vendors, Protected Registry keys and COM Interfaces will have all the trusted names and values which will remain unaffected or will remain unblocked by the Virus or Trojans.

In the Advanced section, as seen above, you can go more deep and manually assign the access rights to the installed software.
goto: Defense+ > Advanced > Computer security policy > select an application > edit > Access Rights > and play with them!!
Next; the Predefined Security Policies helps to

 

Advertisements

One thought on “The COMODO internet security overview (Firewall and Defense+)

  1. Pleased to get enlightened about COMODO but don't know why corporates turn their eyes off it. Symantec's "Norton Endpoint Protection" still rules when it comes to corporates and colleges …

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s